The Washington PostDemocracy Dies in Darkness
The Switch

Universities aren’t doing enough to train the cyberdefenders America desperately needs

By
April 11, 2016 at 11:01 a.m. EDT
More cyberattacks are undoubtedly coming, but will there be enough people to help defend against them?  (Chris Ratcliffe/Bloomberg)

The threat of hacking seems to lurk around every corner, but American universities may not be doing enough to prepare the next generation of cyberdefenders.

None of America's top 10 computer science programs -- as ranked by U.S. News & World Report in 2015 -- requires graduates to take even one cybersecurity course, according to a new analysis from security firm CloudPassage.

Three of the 10 top-ranked programs don't even offer a single elective cybersecurity course, according to the company's findings. And only one of the top 36 programs, the University of Michigan, requires students to take a security course to graduate.

Businessman admits helping Chinese military hackers target U.S. contractors

The dramatic increase in data breaches in recent years has highlighted the need for cybersecurity skills in the workforce. Private companies and the government alike have struggled to recruit people who can help them fend off digital attacks.

“Our research reinforces what many have been saying: there is an incredible IT security skills gap. But what we’ve revealed is that a major root cause is a lack of education and training at accredited schools,” CloudPassage chief executive Robert Thomas said in a blog post about the study.

It's possible students could be learning cybersecurity skills as a component of other classes. "For a long time there have been attempts to get more security taught in traditional computer science courses -- teaching secure programming as part of a general programming curriculum, for example," said David Raymond, the deputy director of Virginia Tech's IT security lab.

‘Inadvertent’ cyber breach hits 44,000 FDIC customers

But it's hard to know how often that actually happens. Computer science professors may focus on other things because they view security as a hands-on subject rather than the sort of high-level concepts traditionally taught in their classes, according to Raymond.

Some schools offer specialized paths of study that focus on cybersecurity as a component of a broader computer science program. Virginia Tech offers an undergraduate minor and a graduate certificate in cybersecurity, for example.

But universities around the country should be doing more to emphasize security so students are prepared for the threats they're bound to face, Raymond said.

"We're not operating on the same network we were operating on 10 years ago or even five years ago," he said.